Abstract

This chapter highlights the broad range of factors that are relevant to the design of information security awareness programs, primarily by reference to the literature. It emphasizes the need to supplement technical information security controls with security awareness, training and educational activities to address human vulnerabilities. It outlines requirements noted in standards, laws and regulations, and explains the value of motivational employee communications techniques in creating a security culture.

Introduction

As with health and safety or legal compliance, management can hardly expect employees to comply with corporate information security policies, adopt security standards and follow security procedures if they don’t even know of their existence. Information security awareness is therefore an essential component of effective information security management systems, supporting and enhancing the technical and procedural information security controls and contributing to the corporation’s overall governance. In order to instill a genuine security culture throughout the organization, the awareness issue goes well beyond simply informing employees of their security obligations. To overcome the inevitable change resistance or inertia, employees have to be both informed and motivated to modify their behaviors, to ‘think security and act securely’. This chapter explains the challenges and details information security awareness approaches that work, using quotations from others in the field to illustrate the points made.

Key Terms in this Chapter

Awareness: Broad appreciation and understanding of concepts (such as information security risks and controls) and obligations achieved through guidance and motivation

Inspirational: Characteristic of security awareness programs that inspire a commitment to security, for example encouraging audiences to seek out further information and share knowledge with their peers

Captivating: Characteristic of awareness programs that engage and interest their audiences, therefore increasing the likelihood of changing behaviors for the better

Training: Systematic process of bringing students to a level of proficiency in a given topic, acquiring specific skills and competencies.

Education: Systematic process of acquiring knowledge and factual information about more or less specific concepts (such as information security risks and controls), usually but not necessarily through formal teaching.